[Owasp-appsensor-project] Change to Detection Points - SE5 Source IP Address Changes During Session

Colin Watson colin.watson at owasp.org
Thu Jun 10 03:38:11 EDT 2010


John

Thank you for getting the discussion going and your good questions.

> just need a bit more info here - is the intention to allow a user to switch
> IPs as long as it's in the same range and / or ASN and be considered ok?

I'm not sure how "prescriptive" the controls are meant to be.  If
developers roll their own code, they could perhaps choose any one of
these three to suit their application.  For example, if it was an
intranet, a fixed IP might be reasonable.  An online shop may want to
be a bit more flexible to cater for users whose IP addresses change
during their session by use of a proxy.

Do we need to consider X-Forwarded-For here too?

Colin


More information about the Owasp-appsensor-project mailing list